Non-qualifying Regulatory Provisions Summary 


Reporting 


Regulator: Information Commissioner’s Office 


Business I mpact Target Reporting Period Covered: 8 May 2015 - 26 


May 2017 

Excluded Summary of measure(s), including any impact 
Category data where available 

A - EU and We have produced guidance documents for business 


International 


to explain the requirements of the new EU General 
Data Protection Regulation (GDPR) and we have 
submitted QRP Assessments for these. 


None of the changes of European origin place 
additional burdens of business beyond those required 
under legislation of EU origin ie no gold plating has 
occurred. 


B - Economic 
Regulation 


No new activities/ actions 


C - Price Control 


No new activities/ actions 


D - Civil 
Emergencies 


No new activities/ actions 


E - Fines and 
Penalties 


No new activities/ actions 


F - Pro- 
Competition 


No new activities/ actions 


G - Large 
Infrastructure 
projects 


No new activities/ actions 


H - Misuse of 
Drugs/ National 
Minimum Wage 


No new activities/ actions 


| - Systemic 


No new activities/ actions 


Financial Risk 


K - Industry 
Codes 


No new activities/ actions 


L1 - Casework 


L2 - Education, 
communications 
and promotion 


No activities listed in this section represent a change 
in the burden of regulation placed on business, 
except where these result from a separate qualifying 
regulatory provision that has been assessed 


Our regulatory activities which can be classed as 
‘casework’ include requests for assessment under 
section 42 of the Data Protection Act, enforcement 
work, audits and a helpline and written enquiries 
service. In the period May 2015 to date, the numbers 
of these relating to businesses were as follows: 


Requests for assessment: 4797 
Enforcement work: 481 cases 


Audits: 

Full audits - 3 

Undertaking follow-ups - 7 
Information Risk reviews - 3 
Advisory visits - 138 


In January 2016 we published a Data Protection Self- 
Assessment Toolkit on our website. This enables 
organisations, particularly SMEs, to carry out a basic 
self- audit, in order to identify areas they need to 
consider in relation to data protection, such as 
privacy notices and privacy impact assessments. We 
regard this as a form of audit activity, rather than 
guidance. 


During this period we have published a number of 
videos, webinars and conference recordings on data 
protection matters. We consider that these fall within 
the category of education, communications and 
promotion, since they are intended to raise 
awareness of DP issues and provide a record of our 
events, rather than to impose any obligation or 
requirement on businesses. 


These are as follows: 


Logging, tracking, | Webinar 33:56 
movement and 
storage of 
manual records in 
the health sector 
Q&A session Data Protection 41:46 
Practitioners 
Conference 
(DPPC) recording 
GDPR prep panel | DPPC recording 53:50 
- third sector 
GDPR prep panel | DPPC recording 
- public sector 
ICO international | DPPC recording 
strategy 
GDPR prep panel | DPPC recording 1:01:02 
- private sector 
J. Trevor Hughes | DPPC recording 24:28 
speech 


Rob Luke speech | DPPC recording 4:16 


Elizabeth DPPC recording 20:47 
Denham speech 

Data protection Webinar 51:07 
for the education 

sector 


Elizabeth Fundraising 24:09 
Denham speech Regulatory 

Compliance 

Conference 

(FRCC) recording 


59:24 


27:51 


Paula Sussex FRCC recording 14:38 
speech 


Gerald FRCC recording 21:17 
Oppenheim’s 
speech 


Henry Rowlings FRCC recording 
speech 

Emma Malcolm FRCC recording 
speech 

Questions to FRCC recording 
panel 


Closing remarks FRCC 
Data protection Webinar 
for SMEs 

Data Protection Webinar 
on the move 


Can you afford a_ | Webinar 38:40 
data breach 


| Cyber security | Webinar 44:31 | 


Data protection Webinar 41:18 
for law firms 

Record Webinar 46:43 
management for 

the public sector 

ICO data Film 0:23 
protection toolkit 

for businesses 

and organisations 

Encryption Video 0:20 
scenarios -USB 

devices 


Encryption Video 0:21 
scenarios - 

mobile devices 

Encryption Video 0:20 
scenarios - email 


Enforcement raid | Video 0:23 
Enforcement raid 
Handling personal | Webinar 

data tips for GPs 

Introduction to Video 

GDPR 


Workshop G Recording 
seminar - 
consent 


Record | Recording 
management and 
data retention 


Subject access Webinar 
request 


Direct marketing | Webinar 25:28 
for charities 


We hold an annual conference for data protection 
practitioners each Spring which is attended by a cross 
section of businesses, and we also organise other 
awareness-raising events relevant to business, 
including an SME Data Protection Conference in April 
2016. 


None of the material produced creates a new 
regulatory standard that businesses are expected to 
follow and attendance at educational and promotional 
events is not compulsory. 


L3 - Activity 
related to policy 
development 


From February to March 2016 we carried out 

a consultation on our draft Code of Practice on 
privacy notices. The final version of the Code was 
published in September 2017 and we have submitted 
a QRP Assessment for it. 


We are currently carrying out a consultation on our 
draft guidance on consent under the EU General Data 
Protection Regulation (GDPR). The closing date is 31 
March 2017. 


L4 - Changes to 
management of 
regulator 


In July 2016 Elizabeth Denham succeeded 
Christopher Graham as Information Commissioner. 
Elizabeth has set up a new Senior Leadership Team, 
comprising the Commissioner, the Deputy 
Commissioner (Operations) the Deputy Commissioner 
(Policy), the Deputy Chief Executive Officer and the 
General Legal Counsel (to be appointed). There has 
also been further reorganisation within departments, 
and the ICO is implementing an internal Change 
Programme in order to prepare for our responsibilities 
as the Data Protection Authority under the GDPR. 
These are internal arrangements and do not impose 
any obligations or costs on business. 


